From b269651bb93f589ff44c9b74a0734736a4fc31fd Mon Sep 17 00:00:00 2001
From: Sam Xu <xcjsam@g.ucla.edu>
Date: Fri, 15 May 2026 17:50:07 -0700
Subject: [PATCH] fix(cloud-codex): trim trailing \n from GITHUB_PAT before
 embedding in git credentials URL
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The shared `commonly-github-pat` secret ships with a trailing newline (commonly
introduced when minting via `cat token | base64`). When PR #382's boot script
interpolated $GITHUB_PAT directly into the git-credentials URL, the resulting
file contained an embedded newline in the password component, and git's
libcurl refused to parse it:

  fatal: credential url cannot be parsed: https://x-access-token:<pat>
  @github.com/...

Trims \n/\r from the PAT value before embedding. Verified live by manually
applying the same fix to the running cloud-codex-cody pod — git clone of a
private repo succeeded immediately afterward.

Closes the deterministic Gap 1 acceptance: agent has a usable GITHUB_PAT for
real git operations.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../templates/agents/cloud-codex-deployment.yaml         | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/k8s/helm/commonly/templates/agents/cloud-codex-deployment.yaml b/k8s/helm/commonly/templates/agents/cloud-codex-deployment.yaml
index c0b5c34d..5e0beee9 100644
--- a/k8s/helm/commonly/templates/agents/cloud-codex-deployment.yaml
+++ b/k8s/helm/commonly/templates/agents/cloud-codex-deployment.yaml
@@ -187,9 +187,16 @@ spec:
           # which keeps non-dev tiers safe if the env ever lands without
           # the secret.
           if [ -n "${GITHUB_PAT:-}" ]; then
+            # Trim any trailing newline/carriage-return baked into the
+            # secret value (often present when the PAT was minted via
+            # `cat token | base64`). git's libcurl refuses to parse a URL
+            # whose password component contains a newline ("credential
+            # url cannot be parsed") — verified empirically against the
+            # live `commonly-github-pat` 2026-05-15.
+            TRIMMED_GITHUB_PAT=$(printf '%s' "${GITHUB_PAT}" | tr -d '\n\r')
             git config --global credential.helper store
             mkdir -p /state
-            printf 'https://x-access-token:%s@github.com\n' "${GITHUB_PAT}" > /state/.git-credentials
+            printf 'https://x-access-token:%s@github.com\n' "${TRIMMED_GITHUB_PAT}" > /state/.git-credentials
             chmod 600 /state/.git-credentials
             git config --global credential.helper "store --file=/state/.git-credentials"
             git config --global user.name "${GIT_AUTHOR_NAME:-Cody}"